Wireless Access

Okay i got a few question regard to this

1- I dont need an Air monitor ap to use this... i just can use it with any ap?

2-You just need to trunk all vlans that i want to be checked to one AP?

3-If  i just need to trunk it to just one AP, it is recomended to trunk it to at leas 2? just in case one goes down?

4-If i just trunk all the vlans to one AP, let say im a big company and i got  A LOT of vlans... is not recommened to trunk all vlans to one AP? or this just doesnt matter?

Any good practice using this is welcome if any of you can mention them.

---

@NightShade1 wrote:

Okay i got a few question regard to this

1- I dont need an Air monitor ap to use this... i just can use it with any ap?

2-You just need to trunk all vlans that i want to be checked to one AP?

3-If  i just need to trunk it to just one AP, it is recomended to trunk it to at leas 2? just in case one goes down?

4-If i just trunk all the vlans to one AP, let say im a big company and i got  A LOT of vlans... is not recommened to trunk all vlans to one AP? or this just doesnt matter?

 

 

Any good practice using this is welcome if any of you can mention them.

 

 

---

1.  You can use an AP for detection, but an Air Monitor is much more effective.

2.  Yes.

3.  Yes, but the controller will also collect macs on any VLAN that is trunked to (System-Wired-MAC).  That is  a better approach.  

4.  Please see comment #3

Hello Cjoseph

thanks for asnwering my tread

So in this case i would be able to trunk all the vlans to the Wireless controller INSTEAD of any AP, and it will still collect the mac address?

If that true then i ask you something

1-On the switch that the WC is plugged i trunk all the vlans to the WC

2-On the WC do i have to configure the vlans and also trunk back even if i dont use them? or its like the AP in which i had to do nothing? on the AP i just trunk the vlans to it and thats it... but i dont trunk anything back, could you please clarify me this one for me cjoseph

Thanks

It just has to be trunked to the controller.  To turn on wired mac learning:

#config t wms general learn-system-wired-macs enable

 To see what macs the controller has learned:

show wms wired-mac system-wired-mac

 To know if it is even on or not:

show wms general

Thank you very much cjoseph

just one last quesiton

If you had APs on air monitor and you could just turn on this

Which one you would pick?  any of those are okay ? one is not better than the other or at least less recommended?

A combination is best.

There is always one remote VLAN that you cannot physically trunk to the controller.  You would put an AP on that trunk.

This is true this is true.... i got one scenario exactly just like that.

Thanks you very much cjoseph!!!

Are the learned mac address shown in the gui?

My Controller detects a few rouge aps but i did not get the information about the wired mac.

The controller marks an AP as rouge if it is seen on wireless an wired side of the network, correct?

"show wms rogue-ap <wireless mac of ap>" will say how it was discovered.

There is no way to see it on the dashboard?

Where is the information how it wa discovered? I'n not shure if it is really a rogue ap or an interfering.

Rogue AP Info
-------------
Key           Value
---           -----
BSSID         00:11:XX:XX:XX
SSID          FRITZ!BoxFon WLAN 7170
Channel       12
Type          generic-ap
RAP Type      rogue
Status        up
Match Type    Eth-GW-Wired-Mac
Match MAC     00:a0:c5:XX:XX:XX
Match IP      0.0.0.0
Match AM      OAP-ZV0XX
Match Method  Exact-Match
Match Time    Tue Mar 27 09:09:50 2012

---

@FlorianKueck wrote:

There is no way to see it on the dashboard?

 

Where is the information how it wa discovered? I'n not shure if it is really a rogue ap or an interfering.

 

Rogue AP Info
-------------
Key           Value
---           -----
BSSID         00:11:XX:XX:XX
SSID          FRITZ!BoxFon WLAN 7170
Channel       12
Type          generic-ap
RAP Type      rogue
Status        up
Match Type    Eth-GW-Wired-Mac
Match MAC     00:a0:c5:XX:XX:XX
Match IP      0.0.0.0
Match AM      OAP-ZV0XX
Match Method  Exact-Match
Match Time    Tue Mar 27 09:09:50 2012

---

There is no way of seeing that level of detail on the dashboard, no.

RAP Type = Rogue means it is a rogue AP.

Match type - How it was discovered

Match mac - wired mac of that ap

Match ip - the ip address of the AP or controller that saw it on the wired network

Match AM - Wireless AP that saw it both on the wired and wireless

Match Method - Method used to classify that AP - Exact match means the wired and wireless mac are the same, and that is how it was classified

Thanks a lot!

But i don't understand what this information wants to tell me:

Match Type    Eth-GW-Wired-Mac

I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

Match MAC     00:a0:c5:XX:XX:XX

---

@FlorianKueck wrote:

Thanks a lot!

 

But i don't understand what this information wants to tell me:

 

Match Type    Eth-GW-Wired-Mac

 

 

I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

 

Match MAC     00:a0:c5:XX:XX:XX

 

---

That means a wired gateway was seen through an access point in the air.

---

@cjoseph wrote:

---

@FlorianKueck wrote:

Thanks a lot!

 

But i don't understand what this information wants to tell me:

 

Match Type    Eth-GW-Wired-Mac

 

 

I searched the Mac addess on our network. No success? I don't understand why the controller marks it as rouge ap. If it where located in the wired network i should find the mac. Otherwise i don't understand the  definition of rogue.

 

Match MAC     00:a0:c5:XX:XX:XX

 

---

That means a wired gateway was seen through an access point in the air.

 

---

and that means it is not an rogue ap, correct?

That means that it IS a rogue AP, because it sees wired traffic through it.

my understanding of an rogue AP is, that the controllers is seeing the AP on the wired and also on the wireless side of  his network.

Please open a support case so that they can look at your topology and configuration.  They will be able to answer all of your specific questions.  

My answers do not take into account all of the variables of your specific deployment, and might not be applicable.

Hello Cjoseph

i got a question regarding to this

I got a deployment on a client with the IPS

okay in that client there is a vlan in which they got all the APS and the wireless controller, thats the only thing in that vlan, nothing else.

now i got 2 APS as possible rogue

1 AP is a known AP they got inside their corporation

1 AP that they dont know  about it.

Now we have not YET activate or trunk ANY vlan to the APs OR the Wireless controller.(the only vlans that are trunked to the WC are the vlans for the SSIDS that are distributing the Aruba APs.

If i see the second AP they dont know about the SNR is really low  5 or 6  is the number and just 3 APs of all the aps can see it... and they all see it with low number 5, 6 or 7 on the SNR.

Now on the known AP  that  i we  all know there is inside the company, almost all the APS can see it...

and when i run

Suspect Rogue AP Info

---------------------

Key               Value

---               -----

BSSID             74:f0:6d:20:da:98

SSID              ssidoftheap

Channel           2

Type              generic-ap

RAP Type          suspected-rogue

Confidence Level  20%

Status            up

Match Type        AP-Wired-Mac

Match MAC         00:16:43:c4:d0:0e

Match IP          0.0.0.0

Match AM          AP_C4

Match Method      Exact-Match

Helper AP BSSID   00:00:00:00:00:00

Match Time        Mon Feb 27 10:56:09 201

on the wireless controller

i got 3 vlans configured on the WC

vlan 500 the vlan that the administration of the wireless controller is, 

vlan 501 internal access

vlan 502 guest access

They put the Known AP(which is not Aruba ap) on vlan 501 for some reason.

They are not trunking any vlan to those APs they just got it on access on the vlan 500

So how its possible for the AP_C4 to detect that from wired?

Even the other Unkown AP i was talking about up, also was detected as suspected rogue... buti manually changed it to interference.

Is there any way to clear the data on the dashboard on the security tab so it reclasify automatically everything AGAIN to see if it keep detecting those APs as rogue and even with Match Type   AP-Wired-Mac?

It just that its really odd... and i dont understand...the bigger issue is that i dont manage the network there and the ones that are working with me is the security department, which is not the networking deparment... and they dont have access to anything of this...

 The thing is that the mac address i mean this one Match MAC         00:16:43:c4:d0:0e is not on  

show wms wired-mac prop-eth-mac  

or on show wms system-wired-mac

Helo,

We are trying to setup L3 rogue detection. We currently have APs with ARM enabled but we don't have any dedicated air monitors. If we use L3 rogue detection, will the "hybrid" APs be able to detect rogue devices? If so, will that be on the wired and wireless medium? Also, following this link, it seems like we need to "trunk" VLANs to the APs so that they can receive broadcast frames, is this correct? When the AP receives these broadcast packets through the wired network, does it analyze the MAC address or does it forward the received wired frames to the controller for analysis? How can we implement this, is there any documentation out there that we can follow? Any help would be greatly appreciated. Thanks. 

Hello

Look you have 2 options

1-Trunk the vlan to the APS

2-Trunk the vlans to the wireless controller and issue the command config t wms general learn-system-wired-macs enable

Hybrids APS can see it but remenber hybrids APS got 2 funtions

1-Give access to clients(which is hte principal funtion

2-Scan on other channels

the IPS/IDS without air Monitor just dont work well... if you dont have Air monitors then in my opinion you should not put IPS IDS...

Because for example if you got a rule that the valid clients cannot connect to other APS that are not valids then if you have no air monitor and you got hybrids APS... if you connect to a non valid AP when the AP is serving clients you will be able to connect.. you see? it just doesnt work....

Here is a document i got attached

Attachment(s)

tb_air_monitors.pdf   988 KB 1 version

If I trunk the VLAN to the AP, what configuration do I need to perform @ at the AP side? setting up a trunk in a cisco switch is well documented but not setting the aruba AP port to a trunk port. 

No configuration necessary to the AP.  

Also if you pick to turnk to the controller you NEED to create the vlans con the controller also and trunk it back...

Otherwise it doesnt work.

Thank you for the great explanation. Also, what would be the pros and cons for each? 

Like Collin said on previus post

Quoting Collin:

"A combination is best

There is always one remote VLAN that you cannot physically trunk to the controller.  You would put an AP on that trunk."

Cheers

Carlos

what is the maximum number of vlans recommended using an aruba 600 controller for mac address learning and rogue ap detection?

Well 2048 is the maximum capacity in the mac address table for those controllers so take that in mind.

Also here is a tutorial regarding this topic:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Tutorial-How-to-detect-Rogue-APS-with-L3-Rogue-Detection/td-p/156722

Cheers

Carlos